io.github.yuna0x0/hackmd-mcp

A Model Context Protocol server for integrating HackMD's note-taking platform with AI assistants.

StaleNot tested

46No CVEsstale

Quick Install

{
  "mcpServers": {
    "hackmd": {
      "env": {
        "HACKMD_API_TOKEN": "your_api_token"
      },
      "args": [
        "-y",
        "hackmd-mcp"
      ],
      "command": "npx"
    }
  }
}

Setup guide

Should you use this server?

A Model Context Protocol server for integrating HackMD's note-taking platform with AI assistants.

✓

Is it safe?

No known CVEs for @modelcontextprotocol/inspector. 2 previously resolved.

No authentication — any process on your machine can connect.

License not specified.

Is it maintained?

Last commit 127 days ago. 55 stars.

Will it work with my client?

Transport: stdio, http. Works with Claude Desktop, Cursor, Claude Code, and most MCP clients.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y @modelcontextprotocol/inspector 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Score Breakdown

MCPpedia Score

Click each category to see evidence

46C

Last scored 10h ago

How we score →

Security

19/30

No open vulnerabilities. 2 fixed CVEs.

✓

Known CVEs — No known CVEs for @modelcontextprotocol/inspectorcheck OSV.dev

○

Tool safety — No tools to analyze

Advisories (0 open, 2 fixed)

mediumCVSS 4CVE-2025-58444Fixed

MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server

An XSS flaw exists in the MCP Inspector local development tool when it renders a redirect URL returned by a remote MCP server. If the Inspector connects to an untrusted server, a crafted redirect can inject script into the Inspector context and, via the built-in proxy, be leveraged to trigger arbitrary command execution on the developer machine. Version 0.16.6 hardens URL handling/validation and prevents script execution. > Thank you to the following researchers for their reports and contributi

Affected: >= 0Fixed in 0.16.6Published Sep 8, 2025source \u2192

mediumCVSS 4CVE-2025-49596Fixed

MCP Inspector proxy server lacks authentication between the Inspector client and proxy

Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities. Credit: Rémy Marot <bughunters@tenable.com>

Affected: >= 0Fixed in 0.14.1Published Jun 13, 2025source \u2192